Package: libnss-sss Version: 1.11.6-1 Tags: patch User: debian-...@lists.debian.org Usertags: debian-edu
Hi. While working on the next version of Debian Edu, I had a closer look at how libnss-sss update /etc/nsswitch.conf during installation, and one thing confused me. In Debian Edu we update nsswitch.conf to use sss as a backend also for the shadow database. Why is this not done by default when libnss-sss is installed? Without shadow listed in nsswitch.conf, information about account expiring do not propagate from LDAP to the Linux clients. I notice from the 1.10.0-1 changelog that the shadow update was removed becaus sssd did not support shadow maps then, but according to <URL: http://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/Configuring_Services.html > the shadow map is supported now (along passwd, groups, netgroups and services), and the sssd-ldap manual page indicate the same. Please add shadow back to the list of nsswitch.conf databases enabled automatically during installation. This patch should fix it: diff -ur sssd-1.11.6/debian/libnss-sss.postinst sssd-1.11.6-pere/debian/libnss-sss.postinst --- sssd-1.11.6/debian/libnss-sss.postinst 2014-09-11 13:41:23.000000000 +0200 +++ sssd-1.11.6-pere/debian/libnss-sss.postinst 2014-09-11 13:46:21.868017365 +0200 @@ -22,7 +22,7 @@ fi # append 'sss' to the end of the line if it's not found already sed -i --regexp-extended ' - /^(passwd|group|netgroup):/ { + /^(passwd|shadow|group|netgroup):/ { /\bsss\b/! s/$/ sss/ } ' /etc/nsswitch.conf Perhaps the services database should be updated too? -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
